Try to restart ssh Group X (HA1-MAIN) tunnel for reconnection to peer
608
Created On 08/26/22 01:23 AM - Last Modified 11/17/25 20:50 PM
Symptom
- HA1 Down in HA setup even though HA interface Runtime Interface state is 'Up' on both peers. [ Runtime link speed/duplex/state: 1000/full/up ]
- In ha_agent.logs You see the below error.
ha_agent.logs:-
------------------
2022-08-25 00:34:30.667 -0700 Error: ha_peer_conn_complete_callback(src/ha_peer.c:3132): Group 20 (HA1-MAIN): Failed connect socket 8
2022-08-25 00:34:30.667 -0700 ha1: Try to restart ssh Group 20 (HA1-MAIN) tunnel for reconnection to peer
Environment
- All PAN OS ( VM , Hardware )
- Configured active/passive or active/active high availability (HA) with encryption enable for the HA1.
Cause
1. If you enable encryption on the HA1 control link, the firewall uses a default host key type of RSA 2048 unless you change it.
2. The HA1 SSH connection uses only the default host key type to authenticate the HA peers (before an encrypted session is established between them). You can change the default host key type; the choices are ECDSA 256, 384, or 521, or RSA 2048, 3072, or 4096.
Resolution
1. You can enable encryption on HA1 traffic between two Palo Alto Networks firewalls by following below article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLgCAK
2. For a quick workaround you can Uncheck "Encryption Enabled" and the HA 1 will come up.
Additional Information
- (If HA1 Backup is configured) admin@PA> request high-availability session-reestablish
- (No HA1 Backup is configured or HA1 Backup link is down) admin@PA> request high-availability session-reestablish force